dotfiles/nixos/security-kernel.nix

{ config, pkgs, ... }:
{
  boot.kernelPatches = [ {
    name = "cyplo-hardened";
    patch = null;
    extraConfig = ''
      LOCKUP_DETECTOR y
      HARDLOCKUP_DETECTOR y
      BUG y

      SECURITY_SELINUX_DISABLE  n

      STRICT_KERNEL_RWX  y

      DEBUG_CREDENTIALS      y
      DEBUG_NOTIFIERS        y
      DEBUG_SG               y
      SCHED_STACK_END_CHECK  y

      SHUFFLE_PAGE_ALLOCATOR  y

      SLUB_DEBUG  y

      PAGE_POISONING            y
      PAGE_POISONING_NO_SANITY  y
      PAGE_POISONING_ZERO       y

      SECURITY_SAFESETID  y

      PANIC_TIMEOUT  -1

      GCC_PLUGINS  y
      GCC_PLUGIN_LATENT_ENTROPY  y

      GCC_PLUGIN_STRUCTLEAK  y
      GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  y
      GCC_PLUGIN_STACKLEAK  y
      GCC_PLUGIN_RANDSTRUCT y
      GCC_PLUGIN_RANDSTRUCT_PERFORMANCE  y

      ACPI_CUSTOM_METHOD  n
      PROC_KCORE          n
      INET_DIAG           n
    '';
  } ];
}
port to new settings style 2020-05-09 11:02:36 +01:00			`{ config, pkgs, ... }:`
			`{`
			`boot.kernelPatches = [ {`
			`name = "cyplo-hardened";`
			`patch = null;`
			`extraConfig = ''`
			`LOCKUP_DETECTOR y`
			`HARDLOCKUP_DETECTOR y`
			`BUG y`

			`SECURITY_SELINUX_DISABLE n`

			`STRICT_KERNEL_RWX y`

			`DEBUG_CREDENTIALS y`
			`DEBUG_NOTIFIERS y`
			`DEBUG_SG y`
			`SCHED_STACK_END_CHECK y`

			`SHUFFLE_PAGE_ALLOCATOR y`

			`SLUB_DEBUG y`

			`PAGE_POISONING y`
			`PAGE_POISONING_NO_SANITY y`
			`PAGE_POISONING_ZERO y`

			`SECURITY_SAFESETID y`

			`PANIC_TIMEOUT -1`

			`GCC_PLUGINS y`
			`GCC_PLUGIN_LATENT_ENTROPY y`

			`GCC_PLUGIN_STRUCTLEAK y`
			`GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y`
			`GCC_PLUGIN_STACKLEAK y`
			`GCC_PLUGIN_RANDSTRUCT y`
			`GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y`

			`ACPI_CUSTOM_METHOD n`
			`PROC_KCORE n`
			`INET_DIAG n`
			`'';`
			`} ];`
			`}`